GB2516939A - Access authorisation system and secure data communications system - Google Patents

Access authorisation system and secure data communications system Download PDF

Info

Publication number
GB2516939A
GB2516939A GB1314172.6A GB201314172A GB2516939A GB 2516939 A GB2516939 A GB 2516939A GB 201314172 A GB201314172 A GB 201314172A GB 2516939 A GB2516939 A GB 2516939A
Authority
GB
United Kingdom
Prior art keywords
user
authenticator
access
data
access device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1314172.6A
Other versions
GB201314172D0 (en
Inventor
Phillip Martin Shaw
Michael James Greaves
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EUS ASSOCIATES Ltd
Original Assignee
EUS ASSOCIATES Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EUS ASSOCIATES Ltd filed Critical EUS ASSOCIATES Ltd
Priority to GB1314172.6A priority Critical patent/GB2516939A/en
Publication of GB201314172D0 publication Critical patent/GB201314172D0/en
Priority to EP14762052.0A priority patent/EP3031036A2/en
Priority to PCT/GB2014/052429 priority patent/WO2015019104A2/en
Publication of GB2516939A publication Critical patent/GB2516939A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/38Individual registration on entry or exit not involving the use of a pass with central registration
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/37Individual registration on entry or exit not involving the use of a pass in combination with an identity check using biometric data, e.g. fingerprints, iris scans or voice recognition
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • G07C9/257Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition electronically
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

An access authorisation system comprises a central authenticator 30, a user device 10 and an access device 20. The authenticator stores data relating to the user and access device, and a privilege granted to the user to use a resource controlled by the access device. The user causes the user device to request exercise of a privilege from the authenticator via a long-range communication. In response to this request, the authenticator requests authentication from the user in the form of personal identification data. This is transmitted to the authenticator compared with the stored data to verify the user's identity. The authenticator then transmits a transaction token to the access device and to the user device. Via a short-range communication, the user device transmits the transaction token to the access device, and a matching operation is performed. The access device is arranged to allow exercise of the privilege if the result of the matching process meets predetermined criteria. A secure communication system between a verification device and a remote device is also disclosed.

Description

ACCESS AUTHORISATION SYSTEM AND SECURE DATA
COMMUNICATIONS SYSTEM
Field of the Invention
This invention relates to an access authorisation system and to a system for secure data communication.
Background to the Invention
The increasing use of microprocessor-based control and monitoring sys-tems in conjunction with portable devices such as mobile telephones (cell phones) creates greater opportunities for abuse for criminal or malicious pur-poses. One area of concern is the automotive field, where the greater use of telematics for such purposes as vehicle tracking or fleet management could po-tentially give rise to threats to vehicles or their users. For example, by linking vehicle system management computers to communications for reporting vehicle operations parameters, the risk is introduced of malicious interception of the communications for the purpose of adversely affecting the operation of the ve-hicle.
In addition, access to the operation of vehicles is currently based on physical keys in locks, or tokens wirelessly communicating with the vehicle sys-tem. In either case, possession of the key or token is all that is needed to allow use of the vehicle. It would be advantageous to be able to control use of a ve-hicle (or indeed other asset) through a device carried by the user that is not permanently linked to the vehicle or other asset, for example a mobile tele- phone or cell phone, with use rights being transmitted centrally to the user's de-vice and to the vehicle or asset so that the vehicle or asset can recognise the user's device as granting access or other rights when in communication there-with.
More generally, there is a need to be able to communicate more securely with remote devices such as mobile telephones or vehicle telematics systems to minimise the risk of unauthorised operations.
Summary of the Invention
According to one aspect of the invention, there is provided an access au- thorisation system comprising a central authenticator, a user device and an ac-cess device, the user device and access device being remote from the central authenticator and each being programmable and configured to communicate with the other and with the central authenticator, wherein the authenticator stores: a user identifier and personal identity data associated therewith; an access device identifier and data relating to a resource con-trolled by the access device; and a privilege granted to the user to use a resource controlled by the access device; wherein the user device, the authenticator and the access device are programmed to perform the following steps in response to the user causing the is user device to request from the authenticator exercise of the privilege: (a) in response to receipt of the request, the authenticator in-structs the user device to display to the user a request to input personal identity data; (b) the user device transmits the personal identity data input by the user to the authenticator and the authenticator compares this with stored data to verify the user's identity; (c) the authenticator transmits a transaction token to the access device and to the user device; (d) the user device communicates with the access device to re- quest exercise of the privilege, the communication including the user de-vice transaction token; and (e) a matching operation is performed on the user device transaction to-ken and the access device transaction token and the access device is arranged to allow exercise of the privilege if the result of the matching process meets predetermined criteria.
Another aspect of the invention provides a secure communication system between a verification device and a remote device, wherein the remote device comprises: communication means for transmitting data to and receiving data from the verification device processing means having an operating system for controlling the basic operation of the remote device and a container program installed thereon to function under the operating system, the verification device comprises: communication means for transmitting data to and receiving data from the remote device; processing means programmed to communicate with the contain- er program in the remote device to install on the remote device in re-sponse to receipt of a communication request from the remote device a temporary virtual machine controlling communication with the verification device independently of the operating system of the remote device; and the container program is configured to uninstall the virtual machine from the remote device in response to an instruction from the verification device via the virtual machine.
The invention also provides a secure data communications system, comprising first and second programmable devices configured to communicate with each other and with a remote server device configured to issue at intervals to the first device and the second device an encrypted security code, the sys- tem further being configured such that, when any of the devices initiates com-munication with any of the other devices by transmission of its security code, the receiving device compares the received code with the most recent security code received from the server and only allows communication to continue if the conformity between the codes and their transmission criteria is within predeter-mined limits.
The following is the composite list and description of elements to create the end to end system that will deliver the method.
Internet Cloud Based Service Engine -The Platform The Platform is a multi-tiered wholesale" architecture allowing diminish-ing grant of authority and administration. The prime function is to deploy white label sub instances that can be separately branded upon which a customer be-spoke market can be created with the SDKs and APIs provided.
Secure Mobile Engine A proprietary software system for securely delivering real-time custom- ized applications, built within the rules of The Platform, to common portable in-ternet devices (iPhone, Android, Microsoft Windows Mobile, Blackberry or a WC3 compliant mobile browser) The software system does not create an in-stalled application onto a portable device but instead delivers a facsimile of a mobile application within a secure container, or "bubble". The system leaves no residual transactional data on the portable device, other than that which is re-quired for facilitation of the visuals of an application once the app is closed or a specific function has been achieved. The content off the applications is based on composite elements of services and functionality borne from The Platform.
Any standard industry security technology can be applied to the transmission is path between the plafform and the display within the connected handheld de-vice. The system also allows control and effect of hardware and API elements within the internet device, for example the ability to enable GPS, Bluetooth, a camera function. The system is however not a "web app" as access is through a proprietary software container rather than the generic device web browser.
Endpoint Gateway Application This is a proprietary embedded software application within an open standard operating environment (e.g., Java, Android) that is effectively a remote agent of The Platform at the vehicle or secured object. This object (software or software within a device) controls a physical locking mechanism and capability to allow access to connected downstream subsystems. This element may be represented by either a black box containing a controller chip with an embedded operating system (Java, Android etc.) or expressed as an application the func-tion of which can function on a number of open standard embedded operating systems. The functions of this software are -a) To provide a receptacle for the Secure Mobile Engine, b) As agent software in which to deploy secure data via the mobile application fabric from within the platform.
c) To allow instructions from The Platform to parse encrypted or open messages to a vehicles systems or subsystems, for example, "open doors", "lock doors", "disable immobilizer", "start engine" via an API. Similarly, the vehicle can present subsystem messages to the vehicle gateway application to be encoded and sent to The Platform for processing, encapsulating within a context and publishing for availability is systems or services within The Platform or available to eternal applications or databases.
d) To act as a security gateway, firewall and single point of ingress for external data communication to subsystems, IVI, critical safety systems, telematics data and functional system data (e.g., engine warning lights) The Gateway Application operates in two modes: Online, where there is access to external internet based services via public wireless networks via the host iteration of The Platform; and an Offline mode where a perpetuating recur-sive logic system maintains vehicle system and subsystem security as well as is condition grant of access and use for validated and authorized drivers or those requiring access to the vehicle and sequential validated access to sub systems and functions.
An additional function of the gateway is to provide an authenticated iden- tity information path back through The Platform to off board web services (twit-ter, Facebook etc.) and in doing so provides a "Single Sign On" facility for providing inbound web services or elements of web services into the higher functions of the car (e.g., the IVI or "head unit" display and its operating sys- tem). This allows prevention of the current issue of remnant services being re-tained in the vehicle (such as Satnav history, telephone records etc.), as each authenticated driver would see only their personal information rather than that of the previous driver/s.
Advantages of various aspects of the invention include: Providing irrefutable proof of identity of a person wishing to access and object and control elements within that object in context to their identity and their privileges in context to that system in real-time taking theoretically a limit-less number of external contributing factors to that permission being granted.
ii. The ability to identify uniquely all occupants of a vehicle or build-ing and potentially retains records of that entry scenario.
Disambiguating the notion of a lock and key, or key token with the metaphorical "unlocking" process being abreacted to The Platform or proactive decision making by elements granted into the asset end point. This makes theft or fraudulent entry to the system protected significantly reduced if not negated.
In the case of vehicles, if the system were overcome then the control software in the vehicle would have based upon rules the possibility to render the car in-operable once the engine had been turned off etc. iv. Removing entirely the requirement to have a physical key (elec-tronic or mechanical), smart card or entry token.
v. Providing a novel method of delivering secure data to a mobile in-ternet device regardless of operating system, installing no viable recoverable data in that device in case of loss and subsequent hacking vi. If mobile data networks are not visible or out of coverage, the software within the protected system or object goes into offline mode deploying a time based unlock circulating code know only to that element and The Plat-form. Once an accredited person requires access, the reciprocal code is passed to the phone for the correct level or access and utilization. One both the gate-way and the handheld internet device are back in coverage, the normal process falls back into place of real-time platform access. Other systems offering a lock or unlock via mobile app do not address this problem.
vii. The capability to augment a potential flaw in the E-Call initiative.
E-Call is a European wide automotive automatic call to emergency services in the event of an accident. This call is proceeded by a telematics data burst of lo-cation and other vehicle attributed to the emergency services. With our system in place, there is the capability to continue to send location and situational data (many mobile networks will not allow simultaneous voice and data connections).
Therefore with a tertiary data connection, via The Platform, it will be possible to send continuous data relating to the situation, including for example vital signs indication, and link that situation to not just emergency services but also via the Platform, that knows categorically who is driving the car, and can provide ac-cess to medical records, insurance and recovery details, as well as information relating to the driver's friends, family, employer etc. The invention therefore further provides a system installed in a vehicle comprising means for detecting vehicle criteria indicating the occurrence of an accident, secure transmission means for transmitting to a central controller re-mote from said vehicle in response to detection of said criteria data identifying at least one or more occupants of the vehicle. Preferably, the vehicle includes vital signs detection means for detecting indications that one or more of the oc-cupants is alive, for example detecting sounds, CO2 measurements indicating breathing. The central controller may be configured to communicate relevant data to emergency services. The system is preferably associated with an E-Call installation in the vehicle, but capable of communicating independently of this.
Brief Description of the Drawings
In the drawings, which illustrate exemplary embodiments of the invention: Figure 1 is a diagrammatic representation of a first aspect of the inven-tion; Figure 2 is a diagrammatic representation of a system in accordance with the invention for granting and exercising privileges controlling the use of motor vehicles;
Detailed Description of the Illustrated Embodiment
Figure 1 illustrates the general application of one aspect of the invention.
A mobile device or initiator 10, typically a mobile telephone, is used to request the exercise of a privilege relating to the use of a resource, which could be, for example, a car or a building, access to which is controlled by a Secure ID de- vice (SID) 20, the administration of the privileges being controlled by an authen-ticator 30 (the Platform"). The initiator 10, the SID 20 and the authenticator 30 are each configured to be in wireless communication with each other device.
Conveniently, the initiator 10 and the SID 20 will be configured to use OSM communication with the authenticator, and short-range wireless (Bluetooth®, WiFi, or Near Field Communication, for example) with each other. The underly-ing communication channel is represented in Figure 1 by the solid triangle 40.
The communications between the three devices 10, 20 and 30 will be es-tablished by way of an encrypted sub-channel, represented in Figure 1 by the broken lines, which is established between temporary virtual machines estab- lished in the initiator 10 and in the SID 20 in accordance with the method here-inafter described.
The authenticator 30 will typically be a central computer server system having access to a database of: a) users, containing personal identity data relating to each user; b) resources and the SIDs associated with each resource; and c) privileges granted to individual users relating to specified re-sources.
There will be a secure registration system to register a user and his or is her personal identity date on the authenticator. The personal identity data may include, in addition to name, address and account details, biometric data such as fingerprint, retina scan, voice sample or face picture.
Privileges granted to the user in relation to a resource can be any activity relating to the use of the resource. For example, in access to a building, the privilege may be simple admission, or restricted time admission, while for re-sources such as vehicles, it may be permission to enter and drive the vehicle, permission to carry a specified number of passengers, restricted driving hours (i.e. time of day). It will be appreciated that the possible privileges are not lim-ited to these examples, and that they may relate to components of the resource as well as to the whole of it.
In use, the user with the initiator or mobile device 10, wishing to exercise a privilege in relation to the resource associated with the SID 20, will establish an encrypted communication channel with the authenticator 30 as hereinafter described, to make a request for exercise of the privilege. The authenticator 30 is programmed to respond by requesting identity data to be entered into the mobile device 10 by the user. The data requested by the authenticator will de-pend upon various factors, rules being established in the authenticator to take into account factors such as the resource, the privilege being requested, the person requesting the privilege, and the location of the person. For a low risk request, it may be considered sufficient to ask the user to enter a password, while a higher risk request may involve the provision of one or more biometric identifiers.
On receipt of the identity data, the authenticator establishes identity by reference to the stored data and then issues to the initiator 10 and the SID 20 a transaction token. The initiator 10 then communicates with the SID 20 to re-quest exercise of the granted privilege, transmitting to the SID the transaction token received from the authenticator, either via the short range wireless link directly, or indirectly through OSM via the authenticator 30. The SID then per-forms a matching operation to match its token to that received from the initiator, allowing exercise of the privilege if the matching operation is successful.
In its simplest form, the transaction tokens sent to the initiator 10 and the is SID 20 are the same, and the matching operation confirms this. However, for greater security the tokens may be dissimilar halves of a single token, which the matching operation combines and verifies in accordance with a predetermined algorithm. The tokens may be subject to encryption processing by the initiator and the SID after receipt, for example using the same time-related algorithm.
Where the tokens are complex, the degree of matching may not always be 100%, but criteria may be applied as to the degree of matching which is ac-ceptable, taking into account the possibility of degradation in communication.
This degree may vary according to the circumstances.
In some circumstances, it may not be possible for the initiator and/or the SID to communicate at the time of the transaction with the authenticator. For example, the GSM signal might be unavailable in the particular location. It is therefore necessary to provide at least limited or provisional grant of the privi-lege until communications are re-established. The procedure for this is included in the process steps hereinafter described.
The steps in the process are as follows: 1St Mobile Login and Pairing to SID -Mobile device lops in to the Platform and Pairs with SID for the first time using Bluetooth -User logs in to mobile App & types in username and Password -mobile device attempts to log in -sends username & Password & device IMEI (hashed) -Platform 30 checks user credentials and authenticates -If Pass -Platform sends Registered SID IBD_ADDRs and Passkeys, user token, ARP version for SID (ARP Table and locket synchronised DIP) (-If Fail -Platform sends rejection to App -re-login requested, allowing only5attempts) -Mobile app locates SID using BD ADDR and attempts to pair using passkey -SID receives pairing request -Pass or Fail notified to app.
SID Activation -Mobile device connects to the SID for the first time and acti is vatesSlD -Mobile app contacts the SID and passes Username, BD ADDR and IMEI (Hashed) -SID responds with a message to inform the mobile application it is inac-tive -Mobile app sends an activation request to the SID -SID sends activation request to the SID Platform: Username, SID ID,
B DAD DR
-Platform authenticates user and SID -Pass -Platform sends ARP (for user) and secure token, synchronised OTP token, authorised users (-If Fail -Platform sends a fail status) -SID confirms Pass to mobile and registers user credentials or sends Fail status to mobile.
Vehicle Operation -Online -The mobile device is connected to the SID and the SID has been activated -Mobile app sends username and DIP counter to SID -SID authenticates the details (username and OTP counter) -If Pass -SID opens PPP Socket (-If Fail -sends a fail status to mobile) -Mobile app sends the operation request to the 510 along with the OTP counter -SID checks with the Platform -username, SID ID, operation ID -Platform authenticates user and checks if the user is allowed to carry out operation -If Pass -Platform sends a pass status (-If Fail -Platform sends a fail status) -SID sends operation request to vehicle control mechanism (VCM) -VCM returns operation result -SID informs mobile of operation result -SID informs Platform of operation result.
Vehicle Operation -Off-line -The Mobile device has been connected to the is 510 and the 510 has been activated -Mobile app sends username and OTP counter to SID -SID authenticates the username and OTP counter and responds to the Mobile, opening a PPP Socket if Pass, or sending a fail status to the mobile -Mobile app sends the operation request to the 510 along with the OTP counter -SID sends operation request to the VCM -VCM returns operation result -SID informs mobile of operation result.
Mobile Heartbeat -the regular update from the mobile to upload activities to the Platform and to download ARP and SID information to the mobile (when online) -On start-up, the mobile application requests a heartbeat transaction.
The mobile application sends username, password, IMEI number and geo-location -Platform authenticates the mobile and responds to Mobile by returning any SID or ARP updates, or sending a fail status to the Mobile.
-Mobile App uploads recent transaction information.
SID Heartbeat -the regular update from the SID to upload activities to the Plat form and to download ARP and user information -At regular intervals, activated SIDs will request a heartbeat transaction, sending SID ID and geo-location -Platform authenticates the SID and either returns any user of ARP up-dates or does not respond in the case of a Fail -SID uploads recent transaction information.
Figure 2 illustrates as a functional diagram an authenticator system or Platform which could form part of the general system illustrated in Figure 1.
The initiator 10 and SID 20 are linked to a secure GSM interface 100. In addi- tion, a web interface 110 is provided to permit normal maintenance and use ac- tivities. The three main functions of the authenticator are user profile manage- ment 120, asset or resource profile management 130, and privilege manage-ment 140. Additional modules handle registration of users 150, authentication is of users during transactions 160, component management 170, GIS (Geo-graphic Information System) module 180, rules processing 190, and audit and logging 200.
Various databases 210 store information relating to user authentication, analytics and telematics, Vehicle and User registration details (DVLA), Insur-ance, Finance and Rental Providers. Communication links 220 are provided from the Platform to providers of such data.
Secure ID Platform is a term used for all the server side components of the solution. These components will be hosted in a secure environment with se-cure access to the facilities, controlled remote access with firewall, routers, backup and monitoring.
Security Platform security will be in two sub---components: one to provide security for SOA Infrastructure Security and one for the Web Console Security.
SCA Infrastructure Security -The Secure ID Platform implements an in- dustry standard SOA based platform and implicitly includes a number of differ- ent attack prevention and protection methods. The Platform is scalable and flex-ible to include a number of security measures and implementation. The Platform continuously monitors transactions, which helps in detection of such attacks.
Below are some of the attacks and how the Secure ID Platform prevents and actively protects against them.
SQL Injection -Payload involves inserting SQL fragments to return unau- thorised data from the server or to return database access information. The Se-cure ID Platform counters this type of attack in following ways: * Ensuring that PEP Servers do not have access to invoke SQL transactions.
* PEP Servers in conjunction with Operational Services will enforce content validation on payloads such as Contentlype validation, mandatory tags will be required and any additional tags will be ig-nored, etc. * Untrusted users cannot invoke SQL transactions.
* Database Server(s) will have access lock down such that only is trusted and servers will sufficient privileges only are allowed to connect.
* SQL SIatemens are executed with sufficient user permissions.
* Secure ID Solution could have XML appliance -a combination of hardware and software as PEP Servers to include threat detec-tion.
Intercept -Replay attack -In this attack, an attempt is made to intercept the payload and replay the payload data in order to spoof legitimate users of the system. The Secure ID Platform counters this type of attack in following ways: * PEP Servers in conjunction with Operational Services will imple- ment a User/Device/Platform specific user token for user authenti-cation. This token could be revoked and renewed frequently.
* Operational Services could implement a standards based CTP (One Time Password) either based on Time or Event. A time based one---time password will expire after every XX seconds. An event password one---time password is a counter, which changes after a pre---defined event has occurred. -14-
* Secure ID Solution with XML appliance could implement usage of timestamps in requests. If a stale' (configurable parameter) timestamp is detected then the request will be rejected.
Embedding Data in Payload attack -This type of attack involves embed-ding external document in request payloads in order to feed or gain information from the server. The Secure ID Platform counters this type of attack in following ways: * Apart from the content validation, PEP Servers in conjunction with Operational Services will enforce data validation on payloads.
* Payload data will be verified and validated before processing.
* Response back to the user will be strictly enforced to avoid send-ing any information that could be used for attacks.
XPath Injection -Similar to SQL Injection, XPath injection can be used to retrieve or insert data in to an XML database. The Secure ID Platform counters is this type of attack in following ways: * XML Database will be used to store referential or configuration re-lated data and not transactional data. This means that there won't be any Operational Services accessible via the PEP Servers that will interact with the XML Database.
* XPath expression interacting with the XML Database will only ac-cept data and not XPath.
SOAP Payload attacks -In this attack, rogue data is included in SOAP Payloads to retrieve data from database. The Secure ID Platform counters this type of attack in following ways: * There will not be any external SOAP services accessible.
* Any future SOAP services will include WS---Security standard to prevent against SOAP Web Services based attacks.
Payload attachment attacks -In this attack, payloads have attachments in the form of a rogue file. The Secure ID Platform counters this type of attack in following ways: * Payload ContentType will be validated to ensure only authorised content type data will be processed. -15-
* In addition to the ContentType validation, the mime type and will be filtered and only pre---defined mime body content will be ex-tracted and stored in a designated format.
* The storage server will have virus scanner to detect and prevent against rogue files being stored on the server.
Tenant Security The Secure ID Platform is a multi-tenancy platform, which supports host-ing multiple customers on a shared infrastructure. The Secure ID Platform will have logical separation of the customer specific configuration, assets, data, and files. The Secure ID Plafform will implement following tenant specific security measures in order to ensure that there is none to minimum impact on other ten-ants of the system, if a tenant is compromised: * Each tenant will have a unique Authentication Key' that will be used on Mobile applications (Users) and SID implemented for that tenant. The AK will identify the tenant's transaction on the Secure ID Platform.
* Users and SIDs implemented for a tenant will have different au-thentication schemes.
* Each tenant could be physically separated and abstracted on the infrastructure including database and user store.
Security at the SOA Infrastructure will be implemented at a number of dif-ferent layers: * Policy Enforcement Point * Service Access & Execution * Application Level * Content Level * Data Access Level Crypto Services Crypto Services are used for encrypting/decrypting data, hashing data, validating data into the platform and applying the appropriate crypto wrapper -16-around the raw data, which will be returned to the consumers. Crypto Services implement ARP and enforces the defined ARP policy to other participants within the ecosystem.
A Encryption Algorithm R Hashing Routing P Process of encrypting/decrypting and/or hashing data Example: Version 1 of ARP may use AES 256 encryption, SHA2S6 for secure hashing with the following parameters.
ARP vi Process A -Ui-P SHA256 hashed result as the encryption key R (w/P) U÷P-i-S+P-i-AP R (w/S) BD_ADDR+S-i-C U = lJsername P = User's password S = SID ID AP = Authentication Padding (Unique for a tenant or API user) C = OTP (One Time Password) Counter P = Platform ID BDADDR = Bluetooth Device Address w/P -Comms with Platform w/S -Comms with SID Crypto Services define the AFIF Table, dynamically enforce the ARP version to use for User/App/Platform and User/SID/Platform combination in-stance by the participants of the ecosystem. Crypto Services also provide management layer to define rules for ARF such as auto/manual or how often does the ARP version change for a combination instance.
Figure 3 illustrates the provision of a Secure ID Mobile App for an An-droid device. The App for other operating systems will be implemented in a similar way. The Secure ID Mobile application will use the following compo-nents: * UI Layer * Storage * Crypto -17- * Connection Manager * Hardware interfaces to GAS, Accelerometer, etc. via Android
SDK
* Server Communications Users will install the Secure ID Mobile Application directly from Google Play Store. The application will be configured on the first launch seamlessly on the device. The application will display the login screen for the user to login.
Data resident on the device will be encrypted using following techniques: * Encryption. Using standards based encryption techniques such as AES256 and TDEA with CBC mode (XOR).
* Hashing based on HMAC, SHA256, SHA512 and progressive hashing.
* PBKDF2 based key derivation techniques to use for encrypting data. PBKDF2 (Password Based Key Derivation Function 2) is a cryptographic function used to derive keys to encrypt data. It is essentially a password-strengthening algorithm that makes it diffi-cult hack passwords using a brute force attack.
The mobile application will use ARP to communicate with the Secure ID Platform. The mobile application will have a local store of the ARP Table with a number of encryption and hashing techniques, process and parameters to use in communication with the Plafform.
The user will have an option to setup a passcode to unlock the applica-tion when the application is launched. This is standard on secure applications and prevents anyone from launching the app and start using it. Initially, the passcode will be 4 digits and will be encrypted and stored locally. Data security techniques will be used to securely store the passcode.
The application will communicate with the SID and allow users to perform vehicle operations such as unlocking doors. -18-
SID Client The SID client will connect to the Secure ID platform to validate transac- tion on user's behalf and on successful validation, direct the Controller to per-form the action.
Example Scenario for Online (Connectecfl communication The user will use the smartphone to pair it with the SID's Bluetooth inter-face using the mobile OS settings. On launch of the Secure ID mobile app will auto-connect to the already paired SID using Bluetooth (assuming it is the only asset configured in the app). Based on the user's action the app will send a re- quest to the vehicle to perform actions such as lock/unlock door(s), obtain vehi-cle status information, etc. The requested action will be received by the SID Server and authenticated. If the requested action is in the core set of actions (such as lock/unlock vehicle) then the SID client will send the request to the Se-cure ID server platform to validate the transaction. The aim is to authenticate the action locally and validate it with the Secure ID platform to ensure a 2 step authentication and verification process for a core action. On successful valida-tion the SID client will pass the request to the Controller to perform the action.
Controller -the component that interfaces with the vehicle locking mech- anism and will send the appropriate command or signal to lock/unlock the vehi-cle.
Policy Manager -will retrieve up-to-date policies from the Secure ID server platform, enforce and audit on the policies.
Data Collector -is a background daemon/service to collect audit and transaction data to store in local analytic data store. The collected data will be sent to the Secure ID server platform periodically and on positive acknowl-edgement it will be deleted from the SID.
Health Monitoring -This component will include a module for fault de-tection, fault resolution and self-healing. A heart beat service will periodically ping the Secure ID server platform to report on health, send diagnostic infor- mation on SID, upload offline transaction data and download any update securi-ty policy and/or configuration.
Data Store -A combination of encrypted database and file storage will be used as the Data Store component of the SID architecture.
The SID has an ARP Table, which it uses to securely hash, encrypt and communicate with the Platform.
Service Libraries: Storage -Facilitate Secure DataStore and Filesystem storage Crypto -Encrypt DAft ARP -HOTP, Algorithm Connection Manager -Checks connectivity and decide on what in-terface to use Local HW Interface Libraries to interface with * H24 3G/GPRS module for wireless network connectivity * GPS for to acquire location data on the Sb.
* Bluetooth 2.1 + EDR module for Bluetooth connectivity from smartphones Update Service -Over-The-Air Software updates SID Vehicle Interfaces -SID will have an interface to the vehicle locking is mechanism, which will perform the vehicle operations. This interface may be a combination of hardware, wiring and software.
Physical Connectivity -The physical connectivity to the vehicle locking mechanism will be basic for the PoC. The interface will be analogue and for the PoC may be either a relay or a switch.
-20 -Abbreviations used herein BDADDR 48-Bit unique Bluelooth address uniquely identifying a Bluetooth device SI D Secure Identification Device OTP One Time Password DVLA Driver and Vehicle Licensing Agency -the UK government agency for registering vehicles and drivers
ARP
IMEI International Mobile Station Equipment Identity

Claims (6)

  1. -21 -CLAIMS1. An access authorisation system, comprising a central authentica- tor, a user device and an access device, the user device and access device be-ing remote from the central authenticator and each being programmable and configured to communicate with the other and with the central authenticator, wherein the authenticator stores: a user identifier and personal identity data associated therewith; an access device identifier and data relating to a resource con-trolled by the access device; and a privilege granted to the user to use a resource controlled by the access device; wherein the user device, the authenticator and the access device are programmed to perform the following steps in response to the user causing the user device to request from the authenticator exercise of the privilege: (a) in response to receipt of the request, the authenticator in-structs the user device to display to the user a request to input personal identity data; (b) the user device transmits the personal identity data input by the user to the authenticator and the authenticator compares this with stored data to verify the user's identity; (c) the authenticator transmits a transaction token to the access device and to the user device; (d) the user device communicates with the access device to re- quest exercise of the privilege, the communication including the user de-vice transaction token; and (e) a matching operation is performed on the user device transac- tion token and the access device transaction token and the access de-vice is arranged to allow exercise of the privilege if the result of the matching process meets predetermined criteria.
  2. 2. A system according to Claim 1, wherein the matching operation is performed by the access device and comprises comparison of identical tokens.
    -22 -
  3. 3. A system according to Claim 1, wherein the access device token and the user device token are two parts of a master token generated by the au-thenticator, and the matching operation comprises the access device combining the access device and user device tokens and transmitting the combined token to the authenticator, and the authenticator comparing the combined token with the master token and transmitting an authorisation to the access device if the agreement between the combined token and the master token is within prede-termined criteria.
  4. 4. A system according to Claim 1, 2 or 3, comprising encrypting the tokens before transmission.
  5. 5. A secure communication system between a verification device and a remote device, wherein the remole device comprises: communication means for transmitting data to and receiving data from the verification device processing means having an operating system for controlling the basic operation of the remote device and a container program installed thereon to function under the operating system, the verification device comprises: communication means for transmitting data to and receiving data from the remote device; processing means programmed to communicate with the contain- er program in the remote device to install on the remote device in re-sponse to receipt of a communication request from the remote device a temporary virtual machine controlling communicalion with Ihe verificalion device independently of the operating system of the remote device; and the container program is configured to uninstall the virtual machine from the remote device in response to an instruction from the verification device via the virtual machine.
  6. 6. A secure data communications system, comprising first and sec-ond programmable devices configured to communicate with each other and with a remote server device configured to issue at intervals to the first device and the -23 -second device an encrypted security code, the system further being configured such that, when any of the devices initiates communication with any of the other devices by transmission of its security code, the receiving device compares the received code with the most recent security code received from the server and only allows communication to continue if the conformity between the codes and their transmission criteria is within predetermined limits.
GB1314172.6A 2013-08-07 2013-08-07 Access authorisation system and secure data communications system Withdrawn GB2516939A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1314172.6A GB2516939A (en) 2013-08-07 2013-08-07 Access authorisation system and secure data communications system
EP14762052.0A EP3031036A2 (en) 2013-08-07 2014-08-07 Access and control authorisation system
PCT/GB2014/052429 WO2015019104A2 (en) 2013-08-07 2014-08-07 Access and control authorisation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1314172.6A GB2516939A (en) 2013-08-07 2013-08-07 Access authorisation system and secure data communications system

Publications (2)

Publication Number Publication Date
GB201314172D0 GB201314172D0 (en) 2013-09-18
GB2516939A true GB2516939A (en) 2015-02-11

Family

ID=49224326

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1314172.6A Withdrawn GB2516939A (en) 2013-08-07 2013-08-07 Access authorisation system and secure data communications system

Country Status (3)

Country Link
EP (1) EP3031036A2 (en)
GB (1) GB2516939A (en)
WO (1) WO2015019104A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976466A (en) * 2016-05-03 2016-09-28 科世达(上海)管理有限公司 Car access control opening method
CN105976472A (en) * 2016-05-20 2016-09-28 科世达(上海)管理有限公司 Access control permission management method and access control permission system for automobiles

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10124750B2 (en) 2016-04-26 2018-11-13 Honeywell International Inc. Vehicle security module system
US10663965B2 (en) * 2016-09-01 2020-05-26 Ford Global Technologies, Llc Permissions for partially autonomous vehicle operation
US20180082053A1 (en) * 2016-09-21 2018-03-22 Telefonaktiebolaget Lm Ericsson (Publ) Application token through associated container
DE102016011654A1 (en) * 2016-09-27 2017-04-06 Daimler Ag Method for controlling an access authorization and / or driving authorization for a vehicle
EP3439258B1 (en) * 2017-07-31 2020-05-27 Harman International Industries, Incorporated Data protection and security for in-vehicle systems
WO2019067944A1 (en) * 2017-09-29 2019-04-04 Visa International Service Association Federated closed-loop system
EP3899766A1 (en) * 2018-12-21 2021-10-27 Inventio AG Setting up a protected data communication connection between a controller of a passenger transport system and a mobile device
CN112699354A (en) * 2019-10-22 2021-04-23 华为技术有限公司 User authority management method and terminal equipment
CN111540100B (en) * 2020-01-22 2022-05-17 中国银联股份有限公司 Data processing method and system based on asynchronous pre-authorization and offline data authentication
CN112434281A (en) * 2020-11-17 2021-03-02 重庆邮电大学 Multi-factor identity authentication method oriented to alliance chain
CN114465814A (en) * 2022-03-11 2022-05-10 江苏天创科技有限公司 Zero trust safety protection system and protection method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090183541A1 (en) * 2006-04-28 2009-07-23 Babak Sadighi Access Control System and Method for Operating Said System
EP2493232A1 (en) * 2011-02-24 2012-08-29 Research In Motion Limited Personnel access system with verification features utilizing near field communication (nfc) and related methods
US20130257589A1 (en) * 2012-03-29 2013-10-03 Mohammad MOHIUDDIN Access control using an electronic lock employing short range communication with mobile device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1271418A1 (en) * 2001-06-27 2003-01-02 Nokia Corporation Method for accessing a user operable device of controlled access
JP4403985B2 (en) * 2005-02-22 2010-01-27 トヨタ自動車株式会社 Vehicle remote control device
US7734068B2 (en) * 2005-10-26 2010-06-08 Sentrilock, Inc. Electronic lock box using a biometric identification device
SG187994A1 (en) * 2011-08-10 2013-03-28 Certis Cisco Security Pte Ltd An access control system
KR101304617B1 (en) * 2011-10-07 2013-09-05 엘에스산전 주식회사 Method for user authentication in in-home display
DE102011122461A1 (en) * 2011-12-22 2013-06-27 Airbus Operations Gmbh Access system for a vehicle and method for managing access to a vehicle

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090183541A1 (en) * 2006-04-28 2009-07-23 Babak Sadighi Access Control System and Method for Operating Said System
EP2493232A1 (en) * 2011-02-24 2012-08-29 Research In Motion Limited Personnel access system with verification features utilizing near field communication (nfc) and related methods
US20130257589A1 (en) * 2012-03-29 2013-10-03 Mohammad MOHIUDDIN Access control using an electronic lock employing short range communication with mobile device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105976466A (en) * 2016-05-03 2016-09-28 科世达(上海)管理有限公司 Car access control opening method
CN105976472A (en) * 2016-05-20 2016-09-28 科世达(上海)管理有限公司 Access control permission management method and access control permission system for automobiles

Also Published As

Publication number Publication date
EP3031036A2 (en) 2016-06-15
GB201314172D0 (en) 2013-09-18
WO2015019104A2 (en) 2015-02-12
WO2015019104A3 (en) 2015-06-11

Similar Documents

Publication Publication Date Title
GB2516939A (en) Access authorisation system and secure data communications system
EP1360568B1 (en) Method and system for securing a computer network and personal identification device used therein for controlling access to network components
US10068397B2 (en) System and method for access control using context-based proof
US8595810B1 (en) Method for automatically updating application access security
US11252142B2 (en) Single sign on (SSO) using continuous authentication
CN102215221B (en) Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
US10219154B1 (en) Frictionless or near-frictionless 3 factor user authentication method and system by use of triad network
CN108111473B (en) Unified management method, device and system for hybrid cloud
US20080148046A1 (en) Real-Time Checking of Online Digital Certificates
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
CN109088849B (en) Method and device for authenticating a user on a vehicle
JP2019531567A (en) Device authentication system and method
AU2002226231A1 (en) Method and system for securing a computer network and personal identification device used therein for controlling access to network components
US11757911B2 (en) Method and system for providing security on in-vehicle network
US10361867B2 (en) Verification of authenticity of a maintenance means connected to a controller of a passenger transportation/access device of a building and provision and obtainment of a license key for use therein
CN108701384B (en) Method for monitoring access to electronically controllable devices
CN110990827A (en) Identity information verification method, server and storage medium
US11245526B2 (en) Full-duplex password-less authentication
CN108322507B (en) Method and system for executing security operation by using security device
US9954853B2 (en) Network security
JPH11212922A (en) Password management and recovery system
CN108337235B (en) Method and system for executing security operation by using security device
CN113596009A (en) Zero trust access method, system, zero trust security proxy, terminal and medium
US9323911B1 (en) Verifying requests to remove applications from a device
US10298588B2 (en) Secure communication system and method

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)